FortiOS-Carrier Upgrade License
Faced with the explosive growth of smart personal devices, IoT sensors
and applications, mobile carriers and mobile virtual network operators
(MVNOs) are challenged by the ever-rising security attacks that threaten
the subscribers, critical infrastructure components and their corporate
brand images.
Fortinet FortiOS-Carrier license provides extended capabilities to the
FortiGate appliances and modular chassis running FortiOS. The extended capabilities are
specifically designed for the mobile networks, providing GTP, SCTP and MMS traffic inspection at
massive scale to complement rich security functionalities of the standard FortiOS.
Flexible Choice of Platforms
From the cost-effective high-performance
appliances to the modular carrier-grade
chassis and high-end virtualized
machines.
Highlights
§§ IPv6-ready Stateful Firewall
§§ Dynamic Security Profiles and Groups
§§ VoIP Security
§§ MMS Security
Security for Evolved Packet
Core (EPC)
FortiOS-Carrier provides an EPC with a
complete perimeter protection against
cyber and access network attacks.
§§ GPRS Tunneling Protocol (GTP)
§§ SCTP Firewall
§§ High-performance and High-density
VPN Concentrator — IPSec and SSL
§§ SSL-encrypted Traffic Inspection
§§ Antivirus/Antispyware and Antispam
§§ Intrusion Prevention System (IPS)
Rich Feature Set
Security functionalities such as Gi/sGi
firewall for both IPv4/v6 traffic, GTP/
SCTP/MMS content inspection and
high-scale Security Gateway (SeGw).
§§ Data Loss Prevention (DLP)
§§ Application Control
§§ Web Filtering
§§ Gi/sGi Firewall
§
DATA SHEET
FortiOS-Carrier Upgrade License
DEPLOYMENT
Security Gateway (SeGW) Platform
5G networks, GiFW solutions need to be capable of scaling to
FortiOS Carrier provides the GTP and SCTP firewall functionality
support the security requirments of many thousands of concurrent
to secure software interfaces in both older 2G/3G GPRS core
users. FortiOS Carrier provides NGFW and UTM support for IPv4/
mobility networks, as well as current LTE evolved packet core
IPv6 networks, dynamic contexting of subscribers and device-type
(EPC) environments. Growth in supporting the large numbers of
policies. Included in FortiOS Carrier is support for MMS Scanning,
deployed evolved NodeB (eNB) platforms in the form of microcells
which extends the content filtering, antimalware, and data leaking
is supported by FortiOS Carrier’s high-performance/high-density
prevention (DLP) capabilities of FortiOS into MMS-based services.
VPN support. The use of virtual domains
(VDOMs) in FortiOS Carrier deployments
simplifies the segregation of SeGW
functions into 3GPP software interfaces
and device roles.
Gi/sGi Firewall Platform
BYOD devices accessing the Internet and
other data center and cloud-based packet
data networks (PDNs), combined with the
performance demands of today’s HPSA+,
LTE, and LTE-Advanced, IoT and future
HIGHLIGHTS
Service providers including voice operators and mobile operators
of end-users. With Dynamic Contexts, administrators can apply
will benefit from the hundreds of security-related features included
security policies to end-users automatically, greatly reducing the
with FortiOS Carrier upgrade license. As networks migrate to
need for manual provisioning and lowering operating expenses.
IPv6 and service providers expand their portfolios to unlock new
business opportunities, FortiGate consolidated security appliances
Voice Security
running upgrade license are ready to deploy and scale as needed.
The Session Initiation Protocol (SIP) Signaling Firewall included
The license upgrade includes all of the security features available
with FortiGate appliances running FortiOS Carrier protects voice
in FortiOS 5.6 plus additional features benefitting service providers,
infrastructure interfacing with untrusted access, peering and
some of which are highlighted below:
trunking networks. Compatible with IP Multimedia Subsystem (IMS)
and pre-IMS deployments, the FortiOS Carrier helps to ensure
Mobile Provider Security
Quality of Service (QoS) by preventing flooding and network
FortiGate appliances running FortiOS Carrier can protect mobile
availability attacks. The SIP firewall integrates seamlessly with the
network infrastructures with integrated GPRS Tunneling Protocol
FortiGate and FortiCarrier intrusion prevention system, protecting
(GTP) Firewall functionality, which includes support for GTPv2,
voice infrastructure from Denial of Service (DoS) attacks and other
ensuring compatibility with a broad range of deployment scenarios.
network-based threats.
Fully integrated intrusion prevention blocks an array of GTP attacks.
MMS Scanning inspects traffic on MM1/3/4/7 interfaces, and
Simplified Management
includes antivirus, flood detection, email antispam, data leakage
In addition to supporting a rich set of built-in GUI/CLI-based
prevention, and mobile content filtering to block phishing attacks.
management, including internal logging and reporting, FortiOS Carrier
is fully supported by FortiManager device management and
Dynamic Contexts
FortiAnalyzer logging and analysis platform. FortiGates running
As their customer bases grow, carriers and services providers find
both FortiOS Carrier and FortiOS devices can be managed
themselves managing hundreds of security policies and thousands
together within a common management environment.
2
www.fortinet.com
FortiOS-Carrier Upgrade License
SPECIFICATIONS
FORTIOS CARRIER ADD-ON FEATURES
Mobile Security
Managed Security
MMS General
Dynamic Profiles and Groups
Assign policy profiles using RADIUS Start record with subscribers’
identifying information and profile group names
Customizable Notification Messages (per MVNO)
Maintain a current dynamic user context list — a list of current carrier
end points, IP addresses, and profile group names received in RADIUS
Start records
MSISDN Header Parsing (including Cookie Extraction &
Hex-based Conversions for MM1/MM7 message types)
Option to only accept sessions from dynamic profile users only
Record event log messages for dynamic profile events.
MMS Content Archive (Full MMS Message Archiving to FortiAnalyzer
Appliances with HTTP/SMTP Transport Headers)
HTTP header option to extract source IP addresses and carrier end
points in communication sessions
Per MSISDN & Per Mobile Station Type Reporting of Malicious Activity
via FortiAnalyzer Appliances
Cookie Override, also known as browser-based override, can identify
different users with differing levels of URL access, for example an adult
and a child, if both users have the same IP address. One reason for
this situation to occur is when multiple users are behind the same NAT
device.
MMS File Intercept to FortiAnalyzer Appliances for Forensic Analysis
MMS Antivirus
Remove Malicious Content Only Option (allows Message Transaction to
complete)
File Type Analysis with Configurable Block or Intercept Actions (File
Extension Independent)
Protect and inspect SCTP traffic, according to RFC4960
SCTP over IPsec VPN
Configurable Retrieve Message Scanning (MM1) to Avoid Redundant
Inspection
IPS DoS protection against known threats to SCTP traffic, including INIT/
ACK flood attacks, and SCTP fuzzing
Per Sender Scanning with Configurable Block/Archive/Intercept Actions
Voice Security
SIP Signalling Firewall
MM1/MM7 Client & Server Comforting
Stateful and SIP Protocol-Aware Firewall
MMS Antispam/Antifraud
Hardware Accelerated RTP Processing for Reduced Packet Loss, Packet
Latency, and Jitter
Configurable Alert Notification to Administrator of Spam or Fraud Activity
Supports SIP Servers in Proxy or Redirect Operating Mode
MM1/MM7 Banned Word Scoring with Configurable
Block/Pass Actions
Configurable RTP Pinholing Support
Supports Complex Source & Destination SIP NAT Environments (SIP &
RTP Protocols)
NAT IP Preservation Retains Originating IP Address for Administrative
Purposes (e.g. Billing)
SIP Tracking over Session Lifespan
SIP Session Failover for Active-Passive High Availability
SIP Session Load Balancing (via Virtual IP Load Balancing)
Geographical Redundancy Support
SIP Rate Limiting to Prevent SIP Server Flooding/Overload
IP Topology Hiding of SIP & RTP Server (via NAT and NAPT)
Configurable SIP Command Control Blocks Unauthorized SIP Methods
SIP Registrar Exclusively Option to Avoid Spoofing of Clients
SIP Communication Logging to FortiAnalyzer Appliances
SIP Statistics (Active Sessions, Total Calls, Calls Failed/Dropped, Call
Succeeded)
Intrusion Prevention System with VoIP Protocol Anomaly & VoIP Protocol
Aware Signature-Based Inspection Capabilities
Denial of Service (DoS) Sensor Protects Trusted Zones from Flooding
Attacks
MM1/MM4 Flood Detection with Three Configurable Thresholds with
Discrete Actions
MM1/MM4 Duplicate Message Detection with Configurable Thresholds
and Actions
SIP Transparent (Inspect Only) & NAT (Rewrite SIP Header) Operating
Modes
Additional Voice Security
Technologies
Monitor Only & Active Blocking Modes (per Interface Type)
Simultaneous Malware Scanning of MM1/MM3/MM4/MM7 Message
Types
Carrier Networking
SCTP Support
Support for Multiple MMS Policy Profiles for Consolidated or MVNO
Deployments
GTP Firewall
Integrated Intrusion Prevention Inspection for GTP Payloads
For Gn/Gp Interfaces (older 3GPP) and S11 and S5/S8 Interfaces (LTE)
§§
§§
§§
§§
§§
§§
§§
§§
§§
§§
§§
§§
§§
§§
§§
GTP Packet Sanity Check, Length Filtering & Type Screening
GSN Tunnel Limiting & Rate Limiting
GTP Stateful Inspection
Hanging GTP Tunnel Cleanup
GTP Tunnel Fail-Over for High Availability
GTP IMSI Prefix (up to 1000) & APN (up to 2000) Filterin
GTP Sequence Number Validation
IP Fragmentation of GTP Messages
GGSN & SGSN Redirection
Detecting GTP-in-GTP Packets
GTP Traffic Counting & Logging
Anti-Overbilling Together with Gi Firewall
Encapsulated Traffic Filtering with Antispoofing Capabilities
GTP Protocol Anomaly Detection and Exploit Prevention
Handover Control to prevent Session Hijacking
For Gi/sGi Interfaces
§§
Anti-Overbilling together with Gn/Gp Firewall
Integrated IPSec for Secured Tunnels Between Trusted Zones
3
FortiOS-Carrier Upgrade License
ORDER INFORMATION
With the release of FortiOS 5.0, supported FortiGate models running
Currently, the FortiGate models supported by the FortiCarrier
FortiOS 5.0 and above can be upgraded with the application of a
Upgrade License include:
FortiOS Carrier Upgrade License. This is a one-time upgrade, with
§§ FortiGate 3240C, 3600C, 3950B, 3xxxD, 5001B, 5001C,
no additional support or recurring costs other than the initial upgrade.
5101C, 5001D and FortiGate-VM08/16/32/UL
Product
SKU
Description
FortiOS-Carrier Upgrade
FCR-UPG
FortiOS-Carrier Upgrade License Certificate for supported FortiGate models (3240C, 3600C, 3xxxD, 3950B, 5001B, 5001C, 5001D, 5101C, VM08, VM16, VM32, VMUL).
GLOBAL HEADQUARTERS
Fortinet Inc.
899 KIFER ROAD
Sunnyvale, CA 94086
United States
Tel: +1.408.235.7700
www.fortinet.com/sales
EMEA SALES OFFICE
905 rue Albert Einstein
06560 Valbonne
France
Tel: +33.4.8987.0500
APAC SALES OFFICE
300 Beach Road 20-01
The Concourse
Singapore 199555
Tel: +65.6395.2788
LATIN AMERICA SALES OFFICE
Sawgrass Lakes Center
13450 W. Sunrise Blvd., Suite 430
Sunrise, FL 33323
United States
Tel: +1.954.368.9990
Copyright© 2017 Fortinet, Inc. All rights reserved. Fortinet®, FortiGate®, FortiCare® and FortiGuard®, and certain other marks are registered trademarks of Fortinet, Inc., in the U.S. and other jurisdictions, and other Fortinet names herein may also be registered and/or common law trademarks of Fortinet. All other
product or company names may be trademarks of their respective owners. Performance and other metrics contained herein were attained in internal lab tests under ideal conditions, and actual performance and other results may vary. Network variables, different network environments and other conditions may affect
performance results. Nothing herein represents any binding commitment by Fortinet, and Fortinet disclaims all warranties, whether express or implied, except to the extent Fortinet enters a binding written contract, signed by Fortinet’s General Counsel, with a purchaser that expressly warrants that the identified product
will perform according to certain expressly-identified performance metrics and, in such event, only the specific performance metrics expressly identified in such binding written contract shall be binding on Fortinet. For absolute clarity, any such warranty will be limited to performance in the same ideal conditions as in
Fortinet’s internal lab tests. In no event does Fortinet make any commitment related to future deliverables, features or development, and circumstances may change such that any forward-looking statements herein are not accurate. Fortinet disclaims in full any covenants, representations, and guarantees pursuant
hereto, whether express or implied. Fortinet reserves the right to change, modify, transfer, or otherwise revise this publication without notice, and the most current version of the publication shall be applicable.
FST-PROD-DS-FCRFCR-OS-DAT-R5-201705